SYS-08: Security & Role Diagnostic (Oracle Fusion)

Oracle Fusion Cloud security role diagnostics address a more complex security model than Oracle EBS R12. Where EBS uses responsibility-based security with menu exclusions and function security profiles, Fusion uses a layered role model: Job Roles (coarse-grained, business function roles like Accounts Payable Manager), Duty Roles (functional groupings of privileges), Privilege Roles (individual action permissions like Create Invoice), and Data Security Policies (row-level access restrictions by business unit, legal entity, or data object). A user's effective access is the union of all privileges from all role assignments, minus any exclusions.

The most common Fusion security issue is a missing role assignment that prevents a user from accessing a function they need. In Fusion, every navigation path, every ESS submission, every REST API call, and every UI action requires at least one privilege. When a user reports they cannot see a menu item or cannot submit an ESS job, the diagnostic task is to identify which privilege controls that action, determine which duty role contains that privilege, determine which job role contains that duty role, and confirm whether the user has that job role assigned — or whether a data security policy is restricting access even with the correct role.

Data security policies are the second major complexity area. A user may have the correct job role to perform an action (functional security) but still be blocked because their data security policy does not grant access to the specific business unit or legal entity they are trying to work with. Fusion data security is managed through Security Console > Manage Data Access for Users, and diagnosing it requires checking both the user's role assignments and their data access grants separately — they are independent access controls.

SYS-08 provides a structured Fusion security diagnostic using Security Console for role hierarchy analysis, OTBI Security subject areas for user role assignment analysis, REST API GET /security/users/{id}/roles for programmatic role inspection, and the Fusion Privilege Trace feature for identifying exactly which privilege controls a specific UI action or menu path.

Role Assignment Analysis

REST API GET /security/users/{id}/roles — all current role assignments. Security Console role hierarchy — privilege to duty role to job role mapping. Identifies the exact missing role for any reported access issue.

Privilege Mapping

Privilege Trace — identifies the exact privilege controlling a specific UI action, menu item, or ESS submission. Maps the privilege up through the duty role and job role hierarchy to the correct assignment to add.

Data Security Check

Manages Data Access for Users — confirms whether the user has the correct business unit and legal entity access for their role. Separates functional security issues from data security issues — both must be correct for access to work.

SoD Conflict Prevention

Segregation of Duties conflict check before any role addition. Identifies conflicting role pairs from the SoD policy configuration. Documents the exception approval process for cases where conflicting roles are required by the business.

════════════════════════════════════════════════════════════
  ORACLE FUSION — SECURITY ROLE DIAGNOSTIC
════════════════════════════════════════════════════════════
  Username           : JMARTINEZ
  Issue Reported     : Cannot submit Create Accounting ESS job
  Case Number        : FC-SYS-2026-0712
  Report Date        : 24-FEB-2026 13:30:18
════════════════════════════════════════════════════════════

[ STEP 1 — REST API ROLE ASSIGNMENTS ]     STATUS: ✓ ROLES RETRIEVED
────────────────────────────────────────────────────────────
  REST Endpoint      : GET /security/users/JMARTINEZ/roles
  Assigned Roles     : Accounts Payable Specialist, GL Inquiry
  Missing Role       : Accounting Hub — Journal Entry Management (not assigned) ✗

[ STEP 2 — PRIVILEGE ANALYSIS ]            STATUS: ✗ PRIVILEGE MISSING
────────────────────────────────────────────────────────────
  Required Privilege : Submit Accounting Hub Processes (FUN_SUBMIT_ACCTG_HUB)
  Contained In       : Duty: Accounting Hub Management Duty
  Contained In       : Job Role: Accounting Hub — Journal Entry Management
  ✗ FAIL: JMARTINEZ does not have this job role assigned

[ STEP 3 — DATA SECURITY CHECK ]           STATUS: ✓ PASS
────────────────────────────────────────────────────────────
  Data access for US Primary Ledger granted via AP Specialist role ✓
  No data security restriction blocking access once role is assigned ✓

[ STEP 4 — SEGREGATION OF DUTIES ]         STATUS: ✓ PASS
────────────────────────────────────────────────────────────
  No SoD conflict — Accounting Hub role does not conflict with AP Specialist ✓

════════════════════════════════════════════════════════════
  FUSION DIAGNOSTIC SUMMARY
════════════════════════════════════════════════════════════
  Missing job role — assign Accounting Hub — Journal Entry Management
  FIX: Security Console > Users > JMARTINEZ > Add Role
════════════════════════════════════════════════════════════

Diagnostic Steps

Fusion security diagnostic using REST API GET /security/users/{id}/roles for current role assignments, Security Console role hierarchy for privilege-to-duty-to-job role mapping, OTBI Security subject areas for user population analysis, and Privilege Trace for identifying the exact privilege controlling a specific UI action.

Backup Created

All diagnostic steps are read-only until the SoD check and manager approval are complete. Current role assignments exported via REST API and OTBI before any change. Provides the before-state record for the security audit trail.

Guided Data Fix

Role assignments via Security Console > Users > Assign Roles. Data access grants via Security Console > Manage Data Access for Users. All changes logged in the Fusion security audit trail. SoD conflict check is mandatory before any role addition.

KB Article Generated

Complete KB article from REST API and Security Console output — username, issue, missing privilege, role hierarchy chain, SoD check result, role assigned, access confirmed.

Pre-Action Documentation — SYS-08

REST API: GET /security/users/JMARTINEZ/roles — role list exported

OTBI: Security — user role assignment export before change

Security Console — role hierarchy screenshot before assignment

Exported before any UI action, ESS resubmission, or FBDI reimport. Provides a point-in-time record of the error state for the KB article and SR documentation if needed.

Pre-Action Verification

Security Console accessibleConfirmed ✓

REST API GET /security/users/roles response savedExported ✓

OTBI Security subject area export completedSaved ✓

SoD conflict check completed — no conflictsVerified ✓

Manager approval for role assignment obtainedConfirmed ✓

Audit Trail Record

CASE_NUMBER<consultant case#>

DIAGNOSTIC_TOOL<OTBI / REST API / BIP / ESS>

ERROR_SNAPSHOT<exported before action>

ACTION_TAKEN<UI path / ESS program / FBDI>

RESULT_VERIFIEDYES ✓

No Direct DB Access — By Design

Oracle Fusion Cloud is a SaaS environment. There is no consultant-accessible Oracle schema, no SQL*Plus connection, and no CONS_BACKUP tablespace. All diagnostic and corrective activity goes through OTBI, REST APIs, BIP reports, ESS programs, and the Fusion UI — the same supported tools Oracle Support uses.

REST API Reference — Endpoints Used in This Diagnostic

All API calls use OAuth 2.0 authentication. The base URL is your Fusion Cloud instance URL. Replace {instanceName} with your tenant name. Obtain the OAuth token via the /oauth/token endpoint using client credentials.

GETUser Role Assignments

/hcmRestApi/resources/11.13.18.05/workers/{PersonId}/child/userAccountDetails

Path Parameters

PersonId integer — Fusion internal person ID for the user

Key Query Parameters

fields UserName,UserGUID,ActiveFlag,LockDate — for account status

Response Fields Read

UserName — the Fusion username

ActiveFlag — whether the account is active

LockDate — set if the account is locked (too many failed logins)

UserGUID — the unique identifier used in Security Console API calls

GETRoles Assigned to a User

/idaas/platform/rest/v1/users/{userLogin}/roles

Path Parameters

userLogin string — the Fusion username, e.g. JMARTINEZ

Key Query Parameters

limit integer — default 25, increase if user has many roles

Response Fields Read

roleCode — the Oracle role code, e.g. ORA_AP_ACCOUNTS_PAYABLE_SPECIALIST_JOB

roleName — human-readable role name

roleType — JOB, DUTY, ABSTRACT, DATA

startDate, endDate — role effective dates (endDate null means active)

NOTE: The Identity Cloud (IDCS) REST API uses a separate OAuth scope from the Fusion REST API. Requires the identity administrator to grant API access. Confirm your Fusion environment uses IDCS (SaaS) vs OCI IAM.

GETRole Hierarchy (Privilege-to-Role Mapping)

/idaas/platform/rest/v1/roles/{roleId}/grantedRoles

Path Parameters

roleId string — the role GUID from the roles collection GET

Key Query Parameters

limit integer — increase for roles with large duty role lists

Response Fields Read

grantedRoleName — duty role or privilege granted by this job role

grantedRoleType — DUTY, PRIVILEGE, AGGREGATE

grantedRoleCode — the Oracle code for the granted role

NOTE: Traversing the full privilege hierarchy (Job Role → Duty Roles → Privileges) may require multiple GET calls. Security Console > Role Hierarchy provides the same view interactively and is faster for initial investigation.

KB-FC-SYS-0712-001 · Script: SYS-08

JMARTINEZ Cannot Submit Create Accounting — Missing Accounting Hub Job Role

Module: System
Platform: Oracle Fusion Cloud
Status: RESOLVED

Symptom

JMARTINEZ unable to submit Create Accounting ESS job. Reports "You do not have permission to perform this action." REST API GET /security/users/JMARTINEZ/roles shows only AP Specialist and GL Inquiry roles. Required privilege FUN_SUBMIT_ACCTG_HUB not in either role.

Root Cause

JMARTINEZ was given a new responsibility for month-end Create Accounting submissions as of 01-FEB-2026. The IT team provisioned AP Specialist and GL Inquiry roles but did not add the Accounting Hub — Journal Entry Management role that contains the Create Accounting submission privilege.

Tables Affected

REST API: GET /security/users/JMARTINEZ/roles — assignedRoles: [AP_SPECIALIST, GL_INQUIRY]
Security Console: Privilege FUN_SUBMIT_ACCTG_HUB → Duty: Accounting Hub Mgmt → Job Role: Accounting Hub Journal Entry Management (not assigned)

Fix Applied

Accounting Hub — Journal Entry Management job role assigned to JMARTINEZ via Security Console after SoD check confirmed no conflicts. Data access for US Primary Ledger already granted. JMARTINEZ confirmed able to submit Create Accounting ESS job after role propagation (15 minutes).

Prevention

Role provisioning checklist updated for month-end accounting users — Accounting Hub Journal Entry Management added to the standard provisioning template. SYS-08 access verification step added to the onboarding checklist for any user with Create Accounting responsibility.

Missing Job Role — Function Inaccessible

User provisioned with incomplete role set — has AP or GL roles but missing the specific job role containing the required privilege. SYS-08 maps from the reported access issue down to the exact missing role assignment.

Data

Data Security Restriction — Wrong BU

User has the correct functional role but data security policy restricts access to a different business unit or legal entity. The most commonly overlooked security layer in Fusion — functional and data security must both be correct.

SoD

Segregation of Duties Conflict

Requested role assignment conflicts with an existing role — triggers SoD policy violation. SYS-08 identifies the conflicting role pair, the policy, and the exception approval process.

Propagation

Role Assignment Not Taking Effect

Role assigned but user still cannot access the function. Role propagation delay (10-30 min) is expected — SYS-08 determines whether the delay is normal or whether the User Role Sync ESS job needs to be run.

Data Source	Type	Purpose
REST API: /security/users/{id}/roles	REST	Current role assignments for the user
Security Console — Role Hierarchy	Fusion UI	Privilege → Duty Role → Job Role mapping
Security Console — Privilege Trace	Fusion UI	Exact privilege controlling a UI action or menu item
Security Console — Data Access	Fusion UI	BU and legal entity data security grants
OTBI: Security Subject Area	OTBI	Population-level user role assignment analysis

Decision Framework

How Every Resolution Decision Is Made

Every condition identified by the diagnostic maps to exactly one resolution path. In Fusion Cloud, all paths go through supported Oracle interfaces — UI, REST API, FBDI, or ESS. Direct database access does not exist in this environment.

First Option — Always

Can the Fusion UI resolve this?

Oracle's own Fusion screens, Scheduled Processes (ESS), and workflow tools are always the first resolution path. Manage Invoices, Manage Suppliers, Manage Accounting Periods, BPM Worklist, Scheduled Processes — the diagnostic identifies the exact navigation path and screen sequence for every condition that can be resolved this way. No third-party tools, no API calls, no risk beyond what Oracle's own UI carries.

✓ Functional First

When the UI Path Is Insufficient

Can a REST API PATCH or FBDI reimport resolve this?

For bulk corrections or conditions not surfaced in the standard UI, Oracle Fusion's public REST APIs and FBDI import templates are the supported programmatic path. A REST API PATCH call to correct an invoice distribution account, an FBDI resubmission with corrected records after an import failure, or a Mass Update via the REST API — these are supported, documented, and reversible through normal Oracle mechanisms. The current state is exported before any API call is made.

→The API endpoint is an Oracle-published, versioned REST resource

→The FBDI template matches the current Fusion release version

→The pre-action state is exported (OTBI report / GET response) before the PATCH or import runs

→The result is verified via a follow-up GET or OTBI query before the case is closed

⚡ API / FBDI

Hard Stops — No Exceptions

Does this require Oracle Support?

Certain conditions in Fusion Cloud cannot be resolved through any customer-accessible interface. The diagnostic flags these and generates the Service Request documentation:

✗ESS job infrastructure failures — job status Error (not Completed with Warnings) indicating an engine-level issue not caused by data

✗Subledger accounting engine errors — Create Accounting failures where the error is in the Oracle accounting engine, not in the source transaction data

✗Recurring failures after correct setup — a condition that returns after a confirmed correct resolution indicates a code defect, submitted as an SR with a reproducible test case

✗Fusion data corruption — records in an inconsistent internal state not reachable through any published API or UI action

⚠ Oracle Support

For All Actions Taken

Export → Act → Verify → Document

Before any UI action, ESS resubmission, REST API call, or FBDI reimport — the current error state is exported via OTBI report, BIP report output, or REST API GET response. After the action, a verification step confirms the expected outcome. The complete sequence — tool used, pre-action state, action taken, result verified — is written into the KB article as the primary record of what was done and why.

📋 Documented

Condition Identified	Resolution Path	Notes
Missing job role — user cannot access function	Functional First	Assign the correct job role via Security Console > Users > Assign Roles after SoD check. SYS-08 identifies the required privilege, the duty role containing it, and the job role to assign.
Data security access not granted — correct role, wrong BU	Functional First	Grant data access via Security Console > Manage Data Access for Users. SYS-08 identifies the business unit or legal entity the user needs access to and the data security policy to use.
SoD conflict blocking role assignment	Functional First	Review the SoD conflict via Security Console > SoD Policies. SYS-08 identifies the conflicting role pair and the exception approval process if the business requires both roles for the same user.
User cannot see navigation menu item	Functional First	Use Security Console > Privilege Trace to identify the exact privilege controlling the menu item. SYS-08 maps the privilege to the duty role and job role to assign.
Custom role not inheriting privileges correctly	Functional First	Review the custom role hierarchy via Security Console > Roles. SYS-08 identifies whether the custom role has the correct duty role assignments and whether any inherited privileges have been excluded.
Role assignment not taking effect — propagation delay	Functional First	Fusion role propagation typically takes 10-30 minutes. SYS-08 confirms whether the delay is within the normal propagation window or whether a manual User Role Sync ESS submission is needed.
User locked out — too many failed login attempts	Functional First	Unlock the account via Security Console > Users > Reset Password or unlock the account. SYS-08 identifies the lockout status and the unlock navigation path.
Role missing expected privilege after Oracle update	Oracle Support SR	Oracle quarterly updates sometimes change role-privilege mappings. If an Oracle-seeded role is missing a privilege after a Fusion update, SYS-08 documents the role, privilege, and update version for the Oracle Support SR.

Safeguards

Nothing Acts Without a Documented State

Fusion Cloud's SaaS architecture eliminates direct database access — which means every action is a supported Oracle API call, UI operation, or ESS submission. Before any action runs, the current error state is captured. After any action, the result is verified.

Pre-Action Documentation — All Completed First

✓

REST API: GET /security/users/JMARTINEZ/roles — role list exported

Exported before any corrective action is taken

✓

OTBI: Security — user role assignment export before change

Exported before any corrective action is taken

✓

Security Console — role hierarchy screenshot before assignment

Exported before any corrective action is taken

✓

Post-action verification

Follow-up OTBI query or REST GET confirms the expected state before the case is closed

Fusion Audit Trail — What Replaces CONS_BACKUP

In EBS R12, a CONS_BACKUP table provides the rollback point. In Fusion Cloud, the equivalent audit trail is built from three sources that together give a complete before-and-after record:

BEFORE STATE

OTBI report export or REST API GET response saved as the pre-action snapshot

ACTION RECORD

Fusion audit trail (Setup and Maintenance > Audit Reports) captures every UI and API change with user, timestamp, old value, and new value

AFTER STATE

Post-action OTBI query or REST GET confirms the fix — this output becomes the KB article verification artifact

SYS-08 — Fusion Diagnostic Framework

════════════════════════════════════════════════════════════
  ORACLE FUSION — SECURITY ROLE DIAGNOSTIC STEPS
════════════════════════════════════════════════════════════
  Platform           : Oracle Fusion Cloud
  Tools              : Security Console, REST API, OTBI Security, Privilege Trace
  Pre-Action Export  : Current role assignments exported before any change
────────────────────────────────────────────────────────────
  Step 1 — REST API    : GET /security/users/JMARTINEZ/roles — 2 roles retrieved ✓
  Step 2 — Privilege   : FUN_SUBMIT_ACCTG_HUB — missing role identified ✓
  Step 3 — Data Access : US Primary Ledger data access confirmed — not blocking ✓
  Step 4 — SoD Check   : No SoD conflict with existing AP Specialist role ✓
────────────────────────────────────────────────────────────
  DIAGNOSTIC COMPLETE — Role assignment path confirmed
════════════════════════════════════════════════════════════
  Documentation      : KB article from REST API and Security Console output
  Fusion Audit Trail : Role assignment logged in Security Console audit trail
  SR Reference       : N/A — resolved via Security Console role assignment
════════════════════════════════════════════════════════════

Knowledge Base

Every Execution Produces a Record

The knowledge base article is generated automatically from the script's execution output. No manual documentation required. It becomes the institutional record — for the team, for auditors, and for every future engagement in the same environment.

Zero Manual Effort

Every field — environment, tables, before/after values, backup reference, root cause, prevention — is generated from actual execution output. Nothing is written by hand.

Patterns Surface Over Time

The first engagement produces findings. The third produces patterns. Recurring conditions that are invisible as individual incidents become obvious as knowledge base trends.

Survives Staff Turnover

The knowledge base is an institutional record of the Oracle environment. A new manager, a new DBA, or an external auditor can read exactly what happened, what was done, and what prevents recurrence.

KB-FC-SYS-0712-001

JMARTINEZ Cannot Submit Create Accounting — Missing Accounting Hub Job Role

Oracle Fusion Cloud · System

● RESOLVED

Symptom

Root Cause

Tables

REST API: GET /security/users/JMARTINEZ/roles — assignedRoles: [AP_SPECIALIST, GL_INQUIRY]
Security Console: Privilege FUN_SUBMIT_ACCTG_HUB → Duty: Accounting Hub Mgmt → Job Role: Accounting Hub Journal Entry Management (not assigned)

Fix Applied

Prevention

Documentation Page	Title	Scenario
Accounts Payable Manager Job Role	Accounts Payable Manager Job Role — Fusion	Fusion role inheritance and aggregate privilege structure
Implement General Ledger	Getting Started with Financials — Security	Business unit data security and HCM security profile configuration
Using Payables Invoice To Pay	Using Payables Invoice to Pay — Data Access	Invoice and payment access restriction by business unit in Fusion

Security & Role Diagnostic (Oracle Fusion)

Why This Fails — and What It Costs

What This Script Diagnoses

Example Completed Worksheet

The Four-Layer Architecture in SYS-08

Documentation Before Every Action — SYS-08

Pre-Action Documentation — SYS-08

Pre-Action Verification

Audit Trail Record

No Direct DB Access — By Design

Auto-Generated Knowledge Base Article

What This Script Finds

Missing Job Role — Function Inaccessible

Data Security Restriction — Wrong BU

Segregation of Duties Conflict

Role Assignment Not Taking Effect

Data Sources

How Every Resolution Decision Is Made

Nothing Acts Without a Documented State

Every Execution Produces a Record

Oracle Documentation References

Ready to Resolve This in Your Environment?

Why This Fails — and What It Costs

What This Script Diagnoses

Example Completed Worksheet

The Four-Layer Architecture in SYS-08

Documentation Before Every Action — SYS-08

Pre-Action Documentation — SYS-08

Pre-Action Verification

Audit Trail Record

No Direct DB Access — By Design

Auto-Generated Knowledge Base Article

What This Script Finds

Missing Job Role — Function Inaccessible

Data Security Restriction — Wrong BU

Segregation of Duties Conflict

Role Assignment Not Taking Effect

Data Sources

How Every Resolution Decision Is Made

Nothing Acts Without a Documented State

Every Execution Produces a Record

Oracle Documentation References

Related Diagnostic Scripts

ESS Job Health (Fusion)

Integration Monitor (Fusion)

Worker Record Diagnostic (Fusion)

Ready to Resolve This in Your Environment?